Are you ready for GDPR compliance?
European Union Flags

Are you ready for GDPR compliance?

By May 2018, all companies collecting and storing personal data will have to be GDPR compliant. It is high time you got ready !

The GDPR, what is it?

The GDPR, General Data Protection Regulation, is a set of measures issued by the European Commission that aims at protecting personal data of EU citizens. These measures will take effect in May 2018.

Which organizations are targeted?

The GDPR applies to any organization settled in the EU that collects, stores or processes the personal data of EU citizens, independently of their physical presence on EU soil. The GDPR target all types of organizations, independently of their size (SME, big companies, start-up) or their legal status (Limited Company, etc.).

Why is it important?

If a breach occurs, your company could face fines up to 20 million EUR or 4% of your annual turnover.

What are the key concepts of the GDPR?

Personal Data

"Personal data means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person" (Regulation on GDPR, Official Journal of the European Union).

For example, an IP address, a national ID number, a credit card number, could be considered personal data as these pieces of information could enable the identification of a EU citizen.

Pay attention to the notion of 'additional information'.

Indeed, if you process a piece of information such as tuh@efficy.com and the related personal phone number, it will be easy to identify the person behind the email address. As a result, the email address should be considered personal data and treated as such.

Sensitive Personal Data

"Processing of [sensitive] personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation shall be prohibited" (Regulation on GDPR, Official Journal of the European Union).

What are the main principles of the GDPR?

PRINCIPLE I : Transparency

As a processor of data, you need to inform the data subject, in a transparent and intelligible way, about the objectives pursued by the data process and storage. You will need to justify the use of every data collected in a document (terms and conditions).

PRINCIPLE II : Consent

Consent is defined as "any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her” (Regulation on GDPR, Official Journal of the European Union).

It also implies that, at any time, the data subject can take his consent back, without any conditions.

PRINCIPLE III : Right to be Forgotten

"The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies" (Regulation on GDPR, Official Journal of the European Union).

At any time, your prospect/customer/client can ask your company to delete all stored personal data. They can also ask you to transfer their data to a third-party (another institution).

PRINCIPLE IV: Purpose Limitation

Personal data shall be collected "for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes." (Regulation on GDPR, Official Journal of the European Union).

You need to guarantee that the processed data are used for the purposes the data subject agreed on and not for any other uncommunicated purposes. Data also need to be used in a secured way and by a supervisor, i.e. a controller who will take measures to guarantee the protection of data and avoid data breach, leaks, alterations, access, etc.

This new regulation really goes against the concept of Big Data.

PRINCIPLE V: Data Accuracy

Personal data shall be "accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay" (Regulation on GDPR, Official Journal of the European Union).

Your company needs to put into place 'data-cleansing' measures that will keep data updated and erase those not considered as such.

PRINCIPLE VI: Integrity and Confidentiality

The processor needs to take every measures to “ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services" (Regulation on GDPR, Official Journal of the European Union).

To be compliant your company will have to list all the people who have access, process, use, treat, store personal data and make sure no data leaks occur.

PRINCIPLE VI : Accountability

In accordance with the accountability principle, "the controller shall be responsible for, and be able to demonstrate compliance" (Regulation on GDPR, Official Journal of the European Union).

If there is a personal data breach, the controller in charge has 72 hours to demonstrate that the breach at hand does not result in a risk to freedom or rights or in a type of damage (reputation, professional or economic disadvantage, etc.).

On the basis of this first remark, the GDPR informs that: “taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary” (Regulation on GDPR, Official Journal of the European Union).

PRINCIPLE VIII: Automatic Processing

"The data subject should have the right not to be subject to a decision, which may include a measure, evaluating personal aspects relating to him or her which is based solely on automated processing and which produces legal effects concerning him or her or similarly significantly affects him or her, such as automatic refusal of an online credit application or e-recruiting practices without any human intervention. Such processing includes ‘profiling’ that consists of any form of automated processing of personal data evaluating the personal aspects relating to a natural person, in particular to analyse or predict aspects concerning the data subject's performance at work, economic situation, health, personal preferences or interests, reliability or behaviour, location or movements, where it produces legal effects concerning him or her or similarly significantly affects him or her" (Regulation on GDPR, Official Journal of the European Union).

The GDPR and Efficy

To ensure the GDPR compliance of its clients, Efficy has been developing several services that will help the customers of Efficy reach compliancy and avoid data breaches. Have a look at Efficy’s GDPR solutions here.



Links to interesting documents
GDPR test: gdprank.eu
EU Regulations: eur.lex.europa.eu
Peeters law: http://www.peeters-law.be
GDPR Expert: https://www.gdpr-expert.eu
Belgium.be: https://www.belgium.be